best practices for leveraging security threat intelligence

Best Practices for Leveraging Security Threat Intelligence

Dave Shackleford, Voodoo Security and SANSRussell Spitler, AlienVault

© 2014 The SANS™ Institute - www.sans.org

What IS threat intelligence?

• Threat intelligence is the set of data collected, assessed, and applied regarding:– Security threats– Threat actors– Exploits– Malware– Vulnerabilities– Compromise indicators

© 2014 The SANS™ Institute - www.sans.org

What Threat Intelligence ISN’T

• Regarding data for threat intelligence:– Not just one type of data– Not just one source of data– Not just internal or external

• Threat intelligence is also not one form of analysis or reporting

• Threat intelligence can mean different things to different organizations– This is 100% OK.

© 2014 The SANS™ Institute - www.sans.org

Advanced Threats

• Malware-based espionage staged by threat actors that– Aggressively pursue and

compromise specific targets– Often leveraging social engineering– Maintain a persistent presence within

the victim’s network – Escalate privilege and move laterally

within the victim’s network– Extract sensitive information to

locations under the attacker’s control

© 2014 The SANS™ Institute - www.sans.org

Today’s Attack Cycle

© 2014 The SANS™ Institute - www.sans.org

1. Intelligence Gathering: Target individuals

2. Point of Entry: Social Engineering and malware deployment

3. C&C Communication4. Lateral Movement5. Asset/Data Discovery: What is important

and/or sensitive?6. Data Exfiltration: Data sent outbound to

systems under the attacker’s control

What’s This Leading To?

Source: http://www.forrester.com/Five+Steps+To+Build+An+Effective+Threat+Intelligence+Capability/fulltext/-/E-RES83841

© 2014 The SANS™ Institute - www.sans.org

Why Threat Intelligence?

• Attackers are innovating faster than we are

• “Productization” of malware– Attack kits and “crimeware”– Reuse of malware and C2 protocols– Botnets for rent

• Other organizations have likely seen similar attacks or variants– We can help each other share

information to defend better

© 2014 The SANS™ Institute - www.sans.org

Adversary Analysis

• Why develop adversary profiles?– Adversary profiles can provide

clues as to attacks, targets, techniques commonly used

• Adversary Types– Unsophisticated – “script kiddies”– Competitors– State-sponsored– Organized Crime– Insiders (can also be one of above)

© 2014 The SANS™ Institute - www.sans.org

What kinds of data can we share?

• DNS entries that are or should be blacklisted

• Countries of origin with specific reputation criteria

• Types of events to look out for:– Application attacks– Ports and IP addresses– Specific types of malware detected

• Vertical-specific likelihood• And more…

© 2014 The SANS™ Institute - www.sans.org

Intelligence can drive Investigations

• Intelligence-driven investigations are based on the preservation of the relationships between the components of individual attacks so that they can be clustered as a campaign.

• Investigative Components– Malware Analysis– Network Analysis– Underground Analysis– “Big Data” Analysis

© 2014 The SANS™ Institute - www.sans.org

How to Evaluate Threat Intel Services and Providers

• The first key differentiator is data DIVERSITY:– Where does the data come from?– What type(s) of data do you get?– Do IOC artifacts come in one format

(ie file hashes) or multiple?– What specific are available

(vertical/industry, geography, etc)?

© 2014 The SANS™ Institute - www.sans.org

How to Evaluate Threat Intel Services and Providers

• The second differentiator is data ANALYSIS:– What kind of analysis is performed?– Who does the analysis?– To what depth is analysis done –

basic IOCs, or full traceback?– Is the data correlated with other

information?

© 2014 The SANS™ Institute - www.sans.org

How to Evaluate Threat Intel Services and Providers

• The third differentiator is data QUALITY:– Does the data go through a “QA”

process?– Is data revisited/re-analyzed to

ensure it is still accurate?– When are indicators “expired”?– What is the expiration

strategy/lifecycle … on an ongoing basis?

© 2014 The SANS™ Institute - www.sans.org

Example: Sinkhole Case

• A known malware propagation platform communicating with a C&C server

• This can fuel a sinkhole approach

© 2014 The SANS™ Institute - www.sans.org

Example: C&C Events

• Active malware command and control communications

© 2014 The SANS™ Institute - www.sans.org

Example: File Download Activity

• File download IOC:

© 2014 The SANS™ Institute - www.sans.org

Example: Java File Download

• Another malware download example, this time with a Java .jar file:

© 2014 The SANS™ Institute - www.sans.org

AlienVault Open Threat Exchange

Open Threat Exchange (OTX) is a framework to allow collaboration for enhanced threat

assessment and response

© 2014 The SANS™ Institute - www.sans.org

Built into AlienVault USM & OSSIM

• Diverse threat data– Unified Security Management– SIEM, IDS, VA, HIDS, Netflow in one

product• Diverse install base

– >12,000 installations– Open Source & Commercial

© 2014 The SANS™ Institute - www.sans.org

Automate Threat Sharing & Action

© 2014 The SANS™ Institute - www.sans.org

AlienVault USM or

OSSIM

Installation 1

Bad

Guy

AlienVault OTX

1. Observed Attack

Automate Threat Sharing & Action

© 2014 The SANS™ Institute - www.sans.org

AlienVault USM or

OSSIM

Installation 1

Bad

Guy

AlienVault OTX

2. Anonymous

Contribution

1. Observed Attack

Automate Threat Sharing & Action

© 2014 The SANS™ Institute - www.sans.org

AlienVault USM or

OSSIM

Installation 1

Bad

Guy

AlienVault OTX

3. Data Validation

2. Anonymous

Contribution

1. Observed Attack

Automate Threat Sharing & Action

© 2014 The SANS™ Institute - www.sans.org

AlienVault USM or

OSSIM

Installation 1

Bad

Guy

AlienVault OTX

AlienVault USM or

OSSIM

Installation 2

4. Distribute Threat

Intelligence

3. Data Validation

2. Anonymous

Contribution

1. Observed Attack

Automate Threat Sharing & Action

© 2014 The SANS™ Institute - www.sans.org

AlienVault USM or

OSSIM

Installation 1

Bad

Guy

AlienVault OTX

AlienVault USM or

OSSIM

Installation 2

4. Distribute Threat

Intelligence

3. Data Validation

2. Anonymous

Contribution

1. Observed Attack 5. Identify Malicious Activity

Current OTX Participation

• 17,000 Contributions per day• 140 Countries

• 500k IP’s, URL’s, and Malware Samples analyzed daily

© 2014 The SANS™ Institute - www.sans.org

Attack Trends and Examples

• Current Attack Trends include:– Stealth malware– HTTP/HTTPS C&C channels– Anti-forensics– New and varied DDoS tactics– Myriad Web app attacks– Client-side attacks with social

engineering as the primary attack vector

• How can we learn about these?

© 2014 The SANS™ Institute - www.sans.org

Conclusion

• We’re all facing attacks, all the time

• We have a lot of data – why not share it?

• To advance the state of threat intelligence, we’ll need to collaborate and correlate data at a much larger scale

• OTX is one effort to do just that

© 2014 The SANS™ Institute - www.sans.org

Questions?

Follow-up?

Q@SANS.ORG

Thank You!

© 2014 The SANS™ Institute - www.sans.org